Ah Python, you have spoiled me for all other languages
Johannes Bauer
dfnsonfsduifb at gmx.de
Sat May 23 02:55:10 EDT 2015
On 23.05.2015 05:31, Michael Torrie wrote:
> Sigh. I blame this as much on the browser. There's no inherent reason
> why a connection to a site secured with a self-signed certificate is
> insecure.
The problem is *not* that the certificate is self-signed.
It's that it's unknown previously to being encountered within the TLS
handshake. And that *does* make it inherently insecure.
Not algorithmically, obviously. I can still do a DH-handshake with the
remote peer that will generate a shared secret no eavesdropper will
know. The browser just can't be sure that whoever it negotiated the DH
with is really the endpoint (i.e. the webserver). That is the problem.
I dislike CAs as much as the next guy. But the problem of distributing
trust is just not easy to solve, a TTP is a way out. Do you have an
alternative that does not at the same time to providing a solution also
opens up obvious attack surface?
Cheers,
Johannes
--
>> Wo hattest Du das Beben nochmal GENAU vorhergesagt?
> Zumindest nicht öffentlich!
Ah, der neueste und bis heute genialste Streich unsere großen
Kosmologen: Die Geheim-Vorhersage.
- Karl Kaos über Rüdiger Thomas in dsa <hidbv3$om2$1 at speranza.aioe.org>
More information about the Python-list
mailing list